Cybersecurity Architecture and Engineering Flashcards

1
Q

What are two ways to measure risk?

A

Quantitative and Qualitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which risk response is also included when risk mitigation is performed?

A

Acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This describes the probability of a threat being realized.

A

Likelihood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This describes the amount of loss during a one-year timespan.

A

Annualized Loss Expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This phase of the risk management life cycle identifies effective means by which identified risks can be reduced.

A

Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A _________________ should include detailed descriptions of the necessary steps required to successfully complete a task.

A

Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

This function of the NIST CSF defines capabilities needed for the timely discovery of security incidents.

A

Detect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A formal mechanism designed to measure performance of a program against desired goals.

A

Key Performance Indicator (KPI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which cloud service type represents the lowest amount of responsibility for the customer?

A

SaaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This describes when a customer is completely dependent on a vendor for products or services.

A

Vendor lock-in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This describes when a copy of vendor-developed source code is provided to a trusted third party, in case of disaster.

A

Source code escrow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This describes all of the suppliers, vendors, and partners needed to deliver a final product.

A

The Supply Chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain.

A

CMMC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or False. The use of cloud service providers always reduces risk.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which type of data can be used to identify an individual and includes information about past, present, or future health?

A

Protected Health Information (PHI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which type of data describes intangible products of human thought and ingenuity?

A

Intellectual Property (IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which data destruction method is focused on the sanitization of the key used to perform decryption of data?

A

Crypto erase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which concept identifies that the laws governing the country in which data is stored have control over the data?

A

Data sovereignty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A non-regulatory agency in the United States that establishes standards and best-practices across the entire science and technology field is known as:

A

NIST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on subjects located there?

A

GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which U.S. federal law is designed to protect the privacy of children?

A

COPPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which process is designed to provide assurance that information systems are compliant with federal standards?

A

Assessment and Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This describes the identification of applicable laws depending on the location of the organization, data, or customer/subject.

A

Jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What concept is often linked to the “prudent man rule”?

A

Due care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
This describes when an organization's legal team receives notification instructing them to preserve electronically stored information.
Legal hold
26
What type of agreement is often described as an "umbrella" contract that establishes the agreement between two entities to conduct business?
Master Services Agreement (MSA)
27
Which agreement governs services that are both measurable and repeatable and also generally include enforcement mechanisms that result in financial penalties for non-compliance?
Service Level Agreement (SLA)
28
What is the last step in a business continuity plan?
Maintenance
29
NIST defines this as "An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption."
Business Impact Analysis
30
This generally defines the amount of data that can be lost without irreparable harm to the operation of the business.
Recovery Point Objective
31
Which type of assessment seeks to identify specific types of sensitive data so that its use and handling can be properly disclosed?
Privacy Impact Assessment
32
Using other branch locations to manage a disaster response is referred to as:
Alternate Operating Facilities
33
Which type of DR site has lowest operating expense and complexity?
Cold Site
34
This type of site is one that can be activated and used within minutes.
Hot Site
35
This term describes when cloud service offerings are used for DR capabilities.
DRaaS, DR as a Service
36
True or False. Incident response should only involve the information technology department.
False
37
True or False. BCDR is a technical capability and so senior leadership involvement is not required.
False
38
True or False. BCDR plans should not be tested as doing so may break production systems.
False
39
Which type of simulation test includes a meeting to review the plans and analyze their effectiveness against various BCDR scenarios?
Walk-through
40
Which type of simulation test is used to determine whether all parties involved in the response know what to do and how to work together to complete the exercise?
Tabletop Exercise
41
When performing this type of test, issues and/or mistakes could cause a true DR situation:
Full Interruption
42
What are the two main components of a VPN?
Creating a tunnel and protecting data via encryption
43
Identify some ways a VPN might help an adversary avoid detection.
Answers will vary but should include a description of hiding data/activities and geographic location.
44
Describe a solution designed to validate the health of an endpoint prior to allowing access.
Network Access Control (NAC)
45
This is a passive technology used to provide visibility into network traffic within a switch.
Test Access Port or TAP
46
What version of SNMP should be used whenever possible?
Version 3
47
Which type of environment is characterized by having hosts and networks available for use by visitors, such as the public or vendors?
Guest
48
This describes a specially configured, highly hardened, and closely monitored system used to perform administrative tasks.
Jump Box
49
This type of network segmentation differs from a traditional network segmentation approach as it provides much higher levels of security, granularity, and flexibility.
Microsegmentation
50
What type of architecture adopts the approach of "never trust, always verify"?
Zero Trust Architecture
51
This implementation creates a software-defined network by utilizing existing physical network equipment.
SDN Overlay
52
This describes improving performance by adding additional resources to an individual system, such as adding processors, memory, and storage to an existing server.
Scaling vertically
53
A ______________________________________ leverages the global footprint of cloud platforms by distributing and replicating the components of a service to improve performance to all the key service areas needing access to the content.
Content Delivery Network (CDN)
54
What design strategy often conflicts with information technology management approaches that look to consolidate platforms and reduce product portfolios?
Heterogeneity/Diversity
55
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application Virtualization
56
This non-profit organization provides guidance and best practices on the development and protection of web applications.
OWASP
57
What are some of the functions that can be performed via a Container API?
Some examples include list logs generated by an instance; issue commands to the running container; create, update, and delete containers; and list capabilities.
58
What environment is used to merge code from multiple developers to a single master copy and subject it to unit and functional tests?
Test or Integration Environment
59
Which type of application testing is frequently performed using scanning tools such as OWASP's Zed Attack Proxy (ZAP)?
Dynamic Application Security Testing (DAST)
60
This describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise.
Enterprise Service Bus (ESB)
61
True or False. Traditional software development models incorporate security requirements throughout all phases.
False
62
Which type of software testing ensures that a particular block of code performs the exact action intended and provides the exact output expected?
Unit Testing
63
Which type of testing verifies that individual components of a system are tested together to ensure that they interact as expected?
Integration Testing
64
What development model includes phases that cascade with each phase starting only when all tasks identified in the previous phase are complete?
Waterfall
65
What development model incorporates Security as Code (SaC) and Infrastructure as Code (IaC)?
SecDevOps
66
Storing passwords using this method should be disabled as it provides marginal improvements in protection compared to simply storing passwords in plaintext.
Reversible Encryption
67
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
68
Which access control model is a modern, fine-grained type of access control that uses a type of markup language call XACML?
Attribute-Based Access Control (ABAC)
69
What authentication protocol is comparable to RADIUS and associated with Cisco devices?
TACACS+
70
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server's local timestamps?
Time-Based One Time Password (TOTP)
71
In which stage of the data life cycle is data shared using various mechanisms, such as email, network folders, websites, or cloud storage?
Use
72
Describe some of the critical elements included in data management.
Answers will vary but should include descriptions of data inventory, data mapping, backups, quality assurance, and integrity controls.
73
Identify some practical DLP example use-cases.
Blocking use of external media, print blocking, Remote Desktop Protocol (RDP) blocking, clipboard privacy controls, restricted virtual desktop infrastructure (VDI) implementation, data classification blocking.
74
What is the name of the data obfuscation method that replaces sensitive data with an irreversible value?
Tokenization
75
What data obfuscation method is designed to protect personally identifiable information so that data can be shared?
Anonymization
76
Which type of virtualization platform supports microservices and server-less architecture?
Containerization
77
_____________________________ is assigned to cloud resources through the use of tags and is frequently exploited to expose configuration parameters which may reveal misconfigured settings.
Metadata
78
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs and provide the highest level of flexibility?
Multi-tenant
79
After powering-up a virtual machine after performing maintenance, the virtual machine is no longer accessible by applications previously configured to connect to it. What is a possible cause of this issue?
The IP address was reassigned to another instance.
80
Which type of storage model supports large amounts of unstructured data and is commonly used to store archives and backup sets?
Blob Storage
81
Which technology uses a ledger distributed across a peer-to-peer (P2P) network?
Blockchain
82
___________________ reality emulates a real-life environment through computer-generated sights and sounds.
Augmented/Virtual
83
This term describes computer-generated images or video of a person that appear to be real but are instead completely synthetic and artificially generated.
Deep Fake
84
______________ computers use information represented by spin properties, momentum, or even location of matter as opposed to the bits of a traditional computer.
Quantum
85
Which technology allows the crafting of components on-demand, and potentially eliminates the need to share designs or plans that may lead to intellectual property theft?
3D printing
86
Identify two types of certificates commonly used to implement access controls for mobile devices.
Trust (device) and user certificates
87
Which standard is associated with the Simultaneous Authentication of Equals (SAE)?
WPA3 (Wi-Fi 6)
88
Which type of device attack allows complete control of a device without the target device being paired with the attacker?
BlueBorne
89
Identify some reasons why DoH poses a security threat in an enterprise setting.
Answers may vary. DoH, if approved, must be configured to use a trusted provider. DoH encapsulates DNS traffic within https traffic making it harder to identify. DoH can bypass external DNS query restrictions configured on firewalls.
90
Identify how Bluetooth can be used for physical reconnaissance.
Answers may vary. Bluetooth devices are discoverable using freely available tools, meaning an attacker can locate out-of-sight devices and also collect information about the hardware and vendor.
91
Identify some reasons why EOL software and hardware are concerning.
Responses will vary but should include a description regarding the lack of vendor support and vendor-supplied security patches.
92
True or False. Operating System instances running in the cloud are patched automatically by the cloud provider.
Flase
93
Which types of attacks on the Android OS can bypass the protections of mandatory access control?
Inter-app communication attacks
94
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Answers may vary but secure boot, measured boot, or attestation services all apply.
95
Which type of host protection should provide capabilities that directly align to the NIST Cybersecurity Framework Core?
Endpoint Protection and Response
96
True or False. Operating in a public cloud removes the need for BCDR plans due to the fact that cloud platforms are so reliable.
False
97
What name is given to the practice of splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations?
Bit Splitting or Cryptographic Splitting
98
Which cloud computing practice eliminates the use of traditional virtual machines to deliver cloud services?
Serverless Computing
99
What is a critical component dictating the implementation of logging capabilities in the cloud?
Legal and regulatory compliance
100
What is the primary source of data breach in the cloud?
Misconfiguration
101
Which component integrates practically all the components of a traditional chipset including GPU?
System on a Chip, or SoC
102
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder language?
Programmable Logic Controller, or PLC
103
Which type of availability attack are industrial computers most sensitive to?
Denial of Service, or DoS
104
An ________ ________ describes the method by which ICS are isolated from other networked systems.
Air Gap
105
What makes attacks against ICS uniquely concerning?
Answers will vary, but essentially because ICS control systems that interact with the real world and can cause humanitarian and/or environmental disasters when breached or attacked.
106
What is the name of the algorithm used by SHA-3?
Kekkack
107
Which MAC method is commonly paired with Salsa20 on hardware that does not have integrated AES support?
Poly1305
108
Describe the key distribution problem.
Answers will vary. Should identify that it is associated with symmetric encryption and that sharing the key between two parties can be risky if not performed carefully.
109
Is Salsa20 a stream or block cipher?
Stream
110
How are modes of operation related to symmetric encryption?
Answers will vary. Modes of operation are like "techniques" used to make symmetric block ciphers operate in a way that is comparable to stream ciphers.
111
What symmetric encryption problem is asymmetric encryption uniquely equipped to solve?
Key distribution
112
What is the bulk encryption method used in the following cipher suite? ECDHE-RSA-AES128-GCMSHA256
AES
113
What encryption scheme is generally associated with protecting email?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
114
What issue related to the use of authentication header (AH) makes it difficult/problematic to implement?
It does not work across NAT gateways.
115
Which implementation of Elliptic Curve Cryptography (ECC) is no longer recommended for use by the NSA?
P256
116
True or False. Private keys are contained within digital certificates.
False. Public keys are contained within digital certificates.
117
Which of the following would be best suited to protecting data stored on a removable disk: IPSec, TLS or AES?
AES is a symmetric block cipher and best suited to this. IPSec and TLS are associated with transport encryption.
118
Which device used to provide strong authentication stores a user's digital certificate, private key associated with the certificate, and a personal identification number (PIN)?
Smart card
119
How do device certificates help security operations?
Answers will vary. A description of using device certificates to identify authorized endpoints is appropriate.
120
What is the purpose of a bridge CA?
Answers will vary. A bridge CA allows the interoperability and shared trust between multiple, otherwise independent, PKIs. Bridge CAs enable cross-certification.
121
_________________ ___________________ is the entity responsible for issuing and guaranteeing certificates.
Certificate Authority
122
True or False. A website protected with a valid digital certificate is guaranteed to be safe.
False. The digital certificate provides assurance that the site is genuine, but it could still be rogue in nature.
123
What is another term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
124
What is the name of the response header configured on a web server to notify a browser to connect to the requested website using HTTPS only?
HTTP Strict Transport Security (HSTS)
125
The error message "your connection is not private" is displayed when accessing a known website. What is a possible cause of this error?
The website is configured to use a weak signing algorithm.
126
Which threat assessment approach is described as emulating known TTPs to mimic the actions of a threat in a realistic way, without emulating a specific threat actor?
Threat emulation
127
Which defensive approach describes a team of specialists working with the viewpoint of "assume breach"?
Threat Hunting
128
Which threat actor group includes adversaries such as Anonymous, WikiLeaks, or LulzSec?
Hacktivists
129
Developed by Lockheed Martin, this describes the steps/actions an adversary must complete in order to achieve their goals.
Cyber Kill Chain
130
True or False. CPE is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.
False. The description is for CVE.CPE uses a syntax similar to Uniform Resource Identifiers (URI), CPE is a standardized naming format used to identify systems and software.
131
What vulnerability assessment analysis approach requires the evaluation of a system or software while it is running?
Dynamic assessment
132
What testing method uses specialty software tools designed to identify problems and issues with an application by purposely inputting/injecting malformed data to it?
Fuzzing or fuzz testing
133
This describes the actions of an attacker using one exploited system to access another within the same organization.
Pivoting
134
What document describes the manner in which a pentest may be performed?
Rules of Engagement (RoE)
135
Which category of tool describes the Metasploit tool?
An exploit framework
136
Honeytoken and canary files are types of _______________ files.
Decoy
137
Which type of deceptive technology is generally less complicated to deploy than other deceptive technologies but can serve a similar purpose?
Simulator
138
An ___________________________ system is one that is "unchangeable."
Immutable
139
______________________________ describes the set of configuration changes made to improve the security of an endpoint from what the default configuration provides.
Hardening
140
In Linux, ________________ describe self-contained software applications which include all the necessary components and libraries they need to be able to operate on an immutable system.
Flatpaks
141
Which type of vulnerability is caused by processes operating under the assumption that a critical parameter or piece of information has not changed?
TOCTOU
142
When reviewing the operation of a web application, the following is observed: https://www.foo.com/ products/ jsessionid=8858PNRX949WM26378/?item=bigscree n-tv. What is problematic with this?
The session ID is included in the URL, meaning that anyone with access to the jsessionid information could perform an authentication bypass attack for the identified user.
143
Which approach describes how software can be analyzed for open-source components?
Software Composition Analysis
144
True or False. JSON is not dependent upon web technologies.
True. JSON is designed to be leveraged by common web technologies.
145
What type of attack is most closely associated with the use of characters such as ' OR 'x' = 'x' -- ?
Authentication Bypass, a type of SQL injection attack.
146
True or False. By default, switches provide packet capture utilities full visibility into all traffic flows for connected devices.
False. A switch must be configured to mirror traffic or utilize a tap in order to provide full visibility for packet capture. Switches natively isolate traffic.
147
Two alerts are generated by an IDS, one with a priority value of 1 and the other with a priority value of 10. Which should be investigated first?
The one with a priority value of 1, which represents a more concerning event type.
148
Which security product is most likely to support the use of YARA rules?
Antivirus
149
In what ways does the support of security incidents differ from traditional tickets/requests in IT?
Answers will vary. The answer should describe how security incidents must be handled based on severity rather than order received.
150
What is most concerning regarding false negatives?
They represent legitimate security incidents that do not generate an alert.
151
What term describes evidence handling from collection through presentation in court?
Chain of custody
152
Which utility can be used to extract data from binary files and can display the contents in hexadecimal, decimal, octal, or ASCII formats
hexdump
153
Which tool can be used to identify interactions between processes and the Linux kernel?
strace
154
________________________ is a popular command line utility used to analyze memory dumps.
volatility
155
Which command line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics?
vmstat
156
The cyclical process of identifying, assessing, analyzing, and responding to risks.
Risk management
157
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
enterprise risk management (ERM)
158
A comprehensive set of standards for enterprise risk management.
Risk Management Framework (RMF) or ISO 31000
159
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Risk
160
In risk calculation, the chance of a threat being realized, expressed as a percentage.
Likelihood
161
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
Impact
162
The amount that would be lost in a single occurrence of a particular risk factor.
Single Loss Expectancy (SLE)
163
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
Annual Loss Expectancy (ALE)
164
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
Annual Rate of Occurrence (ARO)
165
The value of an asset, such as a server or even an entire building.
Asset Value (AV)
166
In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.
Exposure Factor (EF)
167
Associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan.
Total Cost of Ownership (TCO)
168
A metric to calculate whether an asset is worth the cost of deploying and maintaining it.
Return on Investment (ROI)
169
Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
Mean Time To Recovery (MTTR)
170
Metric for a device or component that predicts the expected time between failures.
Mean Time Between Failures (MTBF)
171
An analysis that measures the difference between current state and desired state in order to help assess the scope of work included in a project.
Gap Analysis
172
In risk mitigation, the practice of ceasing activity that presents risk.
Risk avoidance
173
The response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.
Risk acceptance
174
The response of reducing risk to fit within an organization's risk appetite.
Risk mitigation
175
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
Risk transference
176
A specific path by which a threat actor gains unauthorized access to a system.
attack vectors
177
Risk that remains even after controls are put into place.
residual risk
178
A strategic assessment of what level of residual risk is tolerable for an organization.
Risk appetite
179
A formal mechanism designed to measure performance of a program against desired goals.
Key Performance Indicators (KPI)
180
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
Key Risk Indicators (KRI)
181
Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
Scalability
182
The fundamental security goal of ensuring that an information processing system is trustworthy.
Reliability
183
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Availability
184
Determines the thresholds that separate different levels of risk.
Risk tolerance
185
Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
Tradeoff analysis
186
Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Separation of duties
187
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.
Job rotation
188
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
Mandatory vacation
189
Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Least privilege
190
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an "as a service" subscription-based, cloud-centric offering.
Cloud Service Provider (CSP)
191
Identifies that responsibility for the implementation of security as applications, data and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP.)
Shared responsibility model
192
Cloud service model that provisions fully developed application services to users.
Software as a Service (SaaS)
193
Cloud service model that provisions application and database services as a platform for development of apps.
Platform as a Service (PaaS)
194
Cloud service model that provisions virtual machines and network infrastructure.
Infrastructure as a Service (IaaS)
195
A customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
Vendor Lock-in
196
A vendor's product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist.
Vendor Lockout
197
A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis.
Vendor Viability
198
A copy of vendor-developed source code provided to a trusted third party in the event the vendor ceases business.
Source Code Escrow
199
Verifying the type and level of support to be provided by the vendor in support of their product or service.
Support Availability
200
Formally defining what functionality is required of a product or service, and taking steps to verify that a vendor's service or product provides at least this level of functionality.
Meeting Client Requirements
201
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
supply chain
202
The capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization's operations or finished products.
Supply Chain Visibility (SCV)
203
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
Cloud Security Alliance (CSA)
204
A framework of security best practices for Cloud service providers that is developed and maintained by the Cloud Security Alliance (CSA).
Security Trust and Risk (STAR)
205
Use of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations.
System and Organization Controls (SOC)
206
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).
International Organization for Standardization (ISO)
207
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities.
Cybersecurity Maturity Model Certification (CMMC)
208
A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
virtual local area networks (VLAN)
209
Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
Protected Health Information (PHI)
210
Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
Personal Identifiable Financial Information (PIFI)
211
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.
Intellectual property (IP)
212
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
data owner
213
The process of applying confidentiality and privacy labels to information.
Data classification
214
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
Data retention
215
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
Data sovereignty
216
An individual that is identified by privacy data.
data subject
217
A set of policies, contracts and standards identified as essential in the agreement between two parties.
attestation of compliance (AOC)
218
A process executed in four distinct phases: initiation and planning, certification, accreditation, and continuous monitoring.
Certification and accreditation (C&A)
219
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
Information System Security Officer(ISSO)
220
The entity responsible for reviewing the results of a certification and accreditation package, including audits reports, and making the final decision regarding accreditation status.
Certifying Authority
221
A formal letter of accreditation provided to the system owner granting them permission to operate a system.
Authority to Operate(ATO)
222
A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system (TOS).
Common Criteria (CC)
223
Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.
Due care
224
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
due diligence
225
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
legal hold
226
Procedures and tools to collect, preserve, and analyze digital evidence.
e-Discovery
227
Predetermined alternate location where a network can be rebuilt after a disaster.
cold site
228
Alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
warm site
229
Fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
hot site
230
An analysis of events that can provide insight into how to improve response processes in the future.
after action report (AAR)
231
Software or hardware device that protects a system or network by blocking unwanted network traffic.
Firewalls
232
An intermediate system working at the Network layer capable of forwarding packets around logical networks of different layer 1 and layer 2 types.
Routers
233
Type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
load balancer
234
A private network segment made available to a single cloud consumer on a public cloud.
Virtual Private Cloud (VPC)
235
A public IPv4 address that can be assigned to any instance or network interface in a VPC within an AWS account.
elastic IP address
236
Using persuasion, manipulation, or intimidation to make the victim violate a security policy. The goal of social engineering might be to gain access to an account, gain access to physical premises, or gather information.
social engineering
237
A preconfigured, self-contained virtual machine image ready to be deployed and run on a hypervisor.
virtual appliance
238
A special type of DNS record used to identify the email servers used by a domain.
MX records
239
Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
Distributed Denial of Service
240
An approach that protects the attack from consuming all available bandwidth and impacting other servers and services on the network. It reduces the amount of throughput available to the server or service being attacked.
Rate Limiting
241
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
Web Application Firewall (WAF)
242
Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic.
Blackhole Routing
243
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an "as a service" subscription-based, cloud-centric offering.
Cloud Service Providers
244
Reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. DDoS mitigation can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection.
DDoS Mitigation Software/Appliance
245
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
unified threat management (UTM)
246
A security measure performed on email and internet traffic to identify suspicious, malicious and/or inappropriate content in accordance with an organization’s policies.
Content Filtering
247
A protocol specifying Internet mail message formats and attachments.
MIME (Multi-Purpose Internet Mail Extensions)
248
Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
Data Loss Prevention (DLP)
249
Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.
SPAM
250
Identifies known bad senders. Security companies typically provide this as a service to organizations to reduce SPAM messages.
SPAM Block Lists (SBL)
251
Inspecting traffic to locate and block viruses.
Antivirus
252
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
caching engines
253
A server that redirects requests and responses for clients configured with the proxy address and port.
non-transparent proxy
254
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
transparent proxy
255
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
SQL injection
256
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
cross-site scripting (XSS)
257
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
cross-site request forgery (XSRF)
258
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
file inclusion
259
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
directory traversal
260
An open source Web Application Firewall (WAF) for Apache, nginx, and IIS.
ModSecurity
261
A special cloud-based service that is used to centralize the functions provided by APIs.
API gateway
262
A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.
eXtensible Markup Language (XML)
263
Attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.
DNS Poisoning
264
Amount of time that the record returned by a DNS query should be cached before discarding it.
time to live (TTL)
265
A security protocol that provides authentication of DNS data and upholds DNS data integrity.
Domain Name System Security Extensions (DNSSEC)
266
All resource records for a domain that have the same type.
Resource Record Set (RRset)
267
Used to sign the RRset of a zone in order for it to be verified as trustworthy by receiving systems.
Zone Signing Key
268
Used to sign the special DNSKEY record which contains the (public) Zone Signing Key.
Key Signing Key
269
Secure tunnel created between two endpoints connected via an unsecure transport network (typically the Internet).
Virtual Private Network (VPN)
270
General term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.
Network Access Control (NAC)
271
Security appliance or software that uses passive hardware sensors to monitor traffic on a specific segment of the network.
Network intrusion detection system (NIDS)
272
A server running intrusion detection software that analyzes network traffic for signs of suspicious activity.
NIDS Server
273
A device that captures network traffic within a specific segment of a network and forwards it to the NIDS Server for analysis.
NIDS Sensors
274
Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.
switched port analyzer (SPAN)
275
Hardware device inserted into a cable to copy frames for analysis.
test access port (TAP)
276
A type of NIDS that scans the radio frequency spectrum for possible threats to the wireless network, primarily rogue access points.
wireless intrusion detection system (WIDS)
277
Wireless access point that has been enabled on the network without authorization.
rogue access points
278
Wireless access point that deceives users into believing that it is a legitimate network access point.
evil twins
279
Type of wireless network where connected devices communicate directly with each other instead of over an established medium.
Ad hoc networks
280
Attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
On-path
281
An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
network intrusion prevention system (NIPS)
282
An active, inline security device that monitors suspicious network and/or system traffic on a wireless network and reacts in real time to block it.
wireless intrusion prevention system
283
A type of software that reviews system files to ensure that they have not been tampered with.
File Integrity Monitoring (FIM)
284
Application protocol used for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.
Simple Network Management Protocol (SNMP)
285
Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.
NetFlow
286
Web standard for using sampling to record network traffic statistics.
sFlow
287
A cloud service provider data center.
availability zones
288
Distributing and replicating the components of any service (such as web apps, media and storage) across all the key service areas needing access to the content.
Content Delivery Network (CDN)
289
Caching is a technique used for maintaining consistent performance during file access and data processing. It generally works where components are mismatched in terms of the speed at which they can operate. Caching allows a slow component to store data it cannot process at that moment (a disk drive storing up write instructions for instance) or a fast component to pre-fetch data that it might need soon (a CPU storing instructions from system memory for reuse for example).
Caching
290
The process of creating a simulation of a computing environment, where the virtualized system can simulate the hardware, operating system, and applications of a typical computer without being a separate physical computer.
Virtualization
291
A guest operating system installed on a host computer using virtualization software (a hypervisor), such as Microsoft Hyper-V or VMware.
virtual machines (VM)
292
In software development, a user acceptance testing environment that is a copy of the production environment.
Staging
293
Policies, procedures, and tools designed to ensure defect-free development and delivery.
Quality Assurance (QA)
294
An IT environment available to consumer for normal, day-to-day use.
Production
295
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.
Sandboxing
296
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
Directory services
297
Service that maps fully qualified domain name labels to IP addresses on most TCP/IP networks, including the Internet.
Domain Name System (DNS)
298
A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.
Service-oriented architecture (SOA)
299
A common component of SOA architecture that facilitates decoupled service-to-service communication.
enterprise service bus (ESB)
300
The processes of planning, analysis, design, implementation, and maintenance that often govern software and systems development.
software development life cycle (SDLC)
301
The process of testing an application after changes are made to see if these changes have triggered problems in older areas of code.
regression test
302
The developer writes a simple "pass/no pass" test for code. This ensures that a particular block of code performs the exact action intended, and provides the exact output expected.
unit test
303
Individual components of a system are tested together to ensure that they interact as expected.
integration test
304
A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
waterfall model
305
A software development method that combines several approaches, such as incremental and waterfall, into a single hybrid method that is modified repeatedly in response to stakeholder feedback and input.
spiral method
306
A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.
Agile model
307
The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.
version control
308
Software development method in which code updates are tested and committed to a development or build server/code repository rapidly.
Continuous Integration (CI)
309
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
security orchestration automation and response (SOAR)
310
A charity and community publishing a number of secure application development resources.
Open Web Application Security Project (OWASP)
311
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
account policies
312
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
Privileged Access Management (PAM)
313
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
Federation
314
An identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service.
OpenID
315
An XML-based data format used to exchange authentication information between a client and a service.
Security Assertion Markup Language (SAML)
316
An XML-based web services protocol that is used to exchange messages.
Simple Object Access Protocol (SOAP)
317
An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
Shibboleth
318
In PKI, a description of how users and different CAs exchange information and certificates.
trust model
319
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource's owner (or owners).
Discretionary Access Control (DAC)
320
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Mandatory Access Control (MAC)
321
Access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
Role-Based Access Control (RBAC)
322
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
Attribute-Based Access Control (ABAC)
323
A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Rule-Based Access Control
324
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
single sign-on (SSO)
325
AAA protocol used to manage remote and wireless authentication infrastructures.
Remote Authentication Dial-In User Service (RADIUS)
326
AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.
Terminal Access Controller Access Control System Plus (TACACS+)
327
Network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
Lightweight Directory Access Protocol (LDAP)
328
A method of implementing LDAP using SSL/TLS encryption.
Secure LDAP (LDAPS)
329
Single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.
Kerberos
330
Component of Kerberos that authenticates users and issues tickets (tokens).
Key Distribution Center (KDC)
331
Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
Open Authorization (OAuth)
332
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication, and establish secure tunnels through which to submit credentials.
Extensible Authentication Protocol (EAP)
333
Standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.
IEEE 802.1X
334
In EAP architecture, the device requesting access to the network.
Supplicant
335
A PNAC switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.
authenticators
336
Authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.
multifactor authentication (MFA)
337
A common form of multi-factor authentication (MFA) that uses two authentication factors, such as something you know and something you have, also known as 2-step authentication.
Two-Factor Authentication (2FA)
338
Use of a communication channel that is different than the one currently being used.
out-of-band mechanisms
339
Use of a communication channel that is the same as the one currently being used.
In-band authentication
340
A server that is not integrated into a Microsoft Active Directory Domain.
standalone server
341
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
HMAC-Based One-Time Password (HOTP)
342
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
Time-Based One-Time Password (TOTP)
343
A cryptographic module embedded within a computer system that can endorse trusted execution and attest to boot settings and metrics.
hardware root of trust (RoT)
344
A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.
trusted platform module (TPM)
345
A standardized, stateless architectural style used by web applications for communication and integration.
representation state transfer (REST)
346
A compact and self-contained method for securely transmitting messages.
JSON Web Token
347
Proving the integrity and authenticity of a message by combining its hash with a shared secret.
Message Authentication Code (MAC)
348
Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.
RAID
349
An operating system virtualization deployment containing everything required to run a service, application, or microservice.
containers
350
Features and capabilities of a server without needing to perform server administration tasks. Serverless computing offloads infrastructure management to the cloud service provider - for example, configuring file storage capability without the requirement of first building and deploying a file server.
serverless computing
351
A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.
microservices
352
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
cloud deployment model
353
A cloud that is deployed for shared use by multiple independent tenants.
Public cloud (or multi-tenant)
354
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an "as a service" subscription-based, cloud-centric offering.
cloud service providers (CSPs)
355
A cloud deployment model where the cloud consumer uses mutiple public cloud services.
Multi-cloud
356
A cloud that is deployed for use by a single entity.
Private cloud
357
A method of computing that involves realtime communication over large distributed networks to provide the resources, software, data, and media needs of a user, business, or organization.
cloud computing
358
A cloud that is deployed for shared use by cooperating tenants.
Community cloud
359
A concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.
Blockchain
360
A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions.
Machine learning (ML)
361
Using AI to identify vulnerabilities and attack vectors to circumvent security systems.
adversarial AI
362
A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions.
deep learning
363
The use of artificial intelligence and machine learning to generate a highly-realistic video of a person. A fake video rendered using deep learning.
deep fakes
364
A form of authentication that does not require the use of knowledge based information, such as a password, in order to prove identity.
passwordless authentication
365
Method that allows computation of certain fields in a dataset without decrypting it.
Homomorphic encryption
366
Calculations performed by more than one system whereby the function used to perform the calculations is only known by a single party.
Secure Multi-Party Computation (MPC/SMPC)
367
A firmware update delivered on a cellular data connection.
over the air (OTA)
368
Software that allows deletion of data and settings on a mobile device to be initiated from a remote server.
Remote wipe
369
A toggle found on mobile devices enabling the user to disable and enable wireless functionality quickly.
airplane mode
370
Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.
Simultaneous Authentication of Equals (SAE)
371
A high performance mode of operation for symmetric encryption. Provides a special characteristic called authenticated encryption with associated data, or AEAD.
AES Galois Counter Mode Protocol (GCMP)
372
A standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.
Near Field Communication (NFC)
373
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).
hotspot
374
Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot).
tethering
375
Security control that can enforce a virtual boundary based on real-world geography.
Geofencing
376
Adding geographical information to files, such as latitude and longitude coordinates as well as date and time.
Geotagging
377
Methods of provisioning mobile devices to users, such as BYOD and CYOD.
deployment model
378
Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.
Bring your own device (BYOD)
379
Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.
Corporate owned, business only (COBO)
380
Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.
Corporate owned, personally enabled (COPE)
381
Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.
Choose your own device (CYOD)
382
Installing an app to a mobile device without using an app store.
sideloading
383
A type of virtualization applied by a host operating system to provision an isolated execution environment for an application.
Containerization
384
Process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.
hardening
385
The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.
Execution control
386
Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.
SEAndroid
387
A firmware interface that initializes hardware for an operating system boot.
Basic Input/Output System (BIOS)
388
A type of system firmware providing support for 64-bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security.
Unified Extensible Firmware Interface (UEFI)
389
A UEFI feature that prevents unwanted processes from executing during the boot operation.
Secure boot
390
A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.
measured boot
391
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
hardware security module (HSM)
392
A software application running on a single host and designed to protect only that host.
Host-based firewall
393
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state.
Host-based intrusion detection systems (HIDS)
394
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
endpoint detection and response (EDR)
395
Storing data across different storage locations (such as multiple data centers) to improve durability and availability
Data dispersion
396
Splitting encrypted data into parts which are then stored in different storage locations and further encrypted at the storage location.
bit splitting
397
Splitting encrypted data into parts which are then stored in different storage locations and further encrypted at the storage location.
cryptographic splitting
398
A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.
serverless
399
Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.
Infrastructure as Code (IaC)
400
Enterprise management software designed to mediate access to cloud services by users across all types of devices.
cloud access security broker (CASB)
401
Devices that can report state and configuration data and be remotely managed over IP networks.
Internet of Things (IoT)
402
Type of processor designed to perform a specific function, such as switching.
application-specific integrated circuits (ASICs)
403
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.
field programmable gate array (FPGA)
404
Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).
Industrial control systems (ICSs)
405
Input and output controls on a PLC to allow a user to configure and monitor the system.
human-machine interfaces (HMIs)
406
Software that aggregates and catalogs data from multiple sources within an industrial control system.
data historian
407
Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.
supervisory control and data acquisition (SCADA)
408
Control systems that maintain an optimum heating, cooling, and humidity level working environment for different parts of the building.
HVAC (Heating, Ventilation, Air Conditioning)
409
A serial network designed to allow communications between embedded programmable logic controllers.
CAN bus (controller area network)
410
Communications network designed to implement an industrial control system rather than data networking.
operational technology (OT)
411
A communications protocol used in operational technology networks.
Modbus
412
A specialized communication protocol used by industrial control systems to acheive automation.
Common Industrial Protocol (CIP)
413
Associated with industrial controls used in water and electric utilities, DNP3 allows ICS components to communicate with each other.
Distributed Network Protocol (DNP3)
414
Function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output.
hashing
415
In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.
collisions
416
A cryptographic hash function producing a 128-bit output.
Message Digest Algorithm (MD5)
417
A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.
Secure Hash Algorithm (SHA)
418
A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.
hash-based message authentication code (HMAC)
419
A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.
stream cipher
420
A technique used in cryptography to generate random numbers to be used along with a secret key to provide data encryption.
initialization vector (IV)
421
A type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.
block cipher
422
In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.
private keys
423
During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.
public key
424
A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity.
digital signature
425
An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.
Secure/Multipurpose Internet Mail Extensions (S/ MIME)
426
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
application programming interface (API)
427
An EAP method that requires server-side and client-side certificates for authentication using SSL/ TLS.
EAP Transport Layer Security (EAP-TLS)
428
EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.
Protected Extensible Authentication Protocol (PEAP)
429
An EAP method that enables a client and server to establish a secure connection without mandating a clientside certificate.
EAP Tunneled Transport Layer Security (EAP-TTLS)
430
An EAP method that is expected to address the shortcomings of LEAP.
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)
431
Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.
Internet Protocol Security (IPSec)
432
IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
Authentication Header (AH)
433
IPSec sub-protocol that enables encryption and authentication of the header and payload of a data packet.
Encapsulating Security Payload (ESP)
434
A cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) alogrithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example.
Elliptic curve cryptography (ECC)
435
A technique that strengthens potentially weak input for cryptographic key generation, such as passwords or passphrases created by people, against bruteforce attacks.
Key stretching
436
Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Public key infrastructure (PKI)
437
Information that is primarily stored on specific media, rather than moving from one medium to another.
Data at rest
438
Information that is being transmitted between two hosts, such as over a private network or the Internet.
Data in transit
439
The use of a specialized card containing cryptographic information to achieve authentication.
Smart card authentication
440
A server that guarantees subject identities by issuing signed digital certifcate wrappers for their public keys.
certificate authority (CA)
441
A method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. Also referred to as chain of trust.
certificate chaining
442
A Base64 ASCII file that a subject sends to a CA to get a certificate.
certificate signing request (CSR)
443
Field in a digital certificate allowing a host to be identifed by multiple host names/subdomains.
Subject Alternative Name (SAN)
444
A single SSL certificate that can be used to secure multiple, different domain names.
multi-domain certificates
445
The method of using a digital signature to ensure the source and integrity of programming code.
code signing
446
A list of certificates that were revoked before their expiration date.
certificate revocation list (CRL)
447
Allows clients to request the status of a digital certificate, to check whether it is revoked.
Online Certificate Status Protocol (OCSP)
448
A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
Pinning
449
Allows a webserver to perform certificate status checking instead of the browser. The webserver checks the status of a certificate and provides the browser with the digitally signed response from the OCSP responder.
Certificate stapling
450
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
script kiddie
451
A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.
insider threat
452
A type of threat actor that uses hacking and computer fraud for commercial gain.
organized crime
453
A threat actor that is motivated by a social issue or political cause.
Hacktivists
454
An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.
Advanced Persistent Threat (APT)
455
A type of threat actor that is supported by the resources of its host country's military and security services.
State actors
456
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
Common Vulnerability Scoring System (CVSS)
457
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
Buffer overflow
458
A technique that randomizes where components in a running application are placed in memory to protect against buffer overflows.
Address Space Layout Randomization (ASLR)
459
A form of malware protection designed to block applications (malware) that attempt to run from protected memory locations.
Data Execution Protection (DEP)
460
The process of reviewing uncompiled source code either manually or using automated tools.
Static code analysis
461
Exploit technique that runs malicious code with the ID of a legitimate process.
code injection
462
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
remote code execution (RCE)
463
An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input.
LDAP injection
464
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
Command injection
465
Exploiting a misconfiguration to direct traffic to a different VLAN without authorization.
VLAN hopping
466
Group of network prefixes under the administrative control of a single organization used to establish routing boundaries.
autonomous systems (AS)
467
Analysis of the headers and payload data of one or more frames in captured network traffic.
Packet analysis
468
Analysis of per-protocol utilization statistics in a packet capture or network traffic sampling.
Protocol analysis
469
Command-line packet sniffing utility.
tcpdump command
470
Widely used protocol analyzer.
Wireshark
471
OS and applications software can be configured to log events automatically. This provides valuable troubleshooting information. Security logs provide an audit trail of actions performed on the system as well as warning of suspicious activity. It is important that log configuration and files be made tamper-proof.
logs
472
A widget showing records or metrics in a visual format, such as a graph or table.
Visualization
473
Standards-based version of the Netflow framework.
IP Flow Information Export (IPFIX)
474
A sign that an asset or network has been attacked or is currently under attack.
indicator of compromise (IOC)
475
Solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
Security information and event management (SIEM)
476
In security scanning, a case that is reported when it should not be.
false positive
477
In security scanning, a case that is not reported when it should be.
False negatives
478
In security scanning, a case that is reported when it should be.
True positive
479
In security scanning, a case that is not reported when it should not be.
true negative
480
Specific procedures that must be performed if a certain type of event is detected or reported.
Incident response plans (IRP)
481
The record of evidence history from collection, to presentation in court, to disposal.
chain of custody
482
In digital forensics, the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk.
Data acquisition
483
A highly adaptable, open-source network scanner used primarily to scan hosts and ports to locate services and detect vulnerabilites.
Nmap
484
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.
deauthentication attack
485
An attack against Windows systems designed to replace the important DLL's needed by software applications with malicious alternatives.
DLL hijacking
486
VM Escape
This VM exploit gives an attacker access to the underlying host operating systems and thereby access to all other VMs running on that host machine.